Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 19:56
Static task
static1
Behavioral task
behavioral1
Sample
2bd0394601a1a4006bc56efa2f405d25.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2bd0394601a1a4006bc56efa2f405d25.exe
Resource
win10v20210408
General
-
Target
2bd0394601a1a4006bc56efa2f405d25.exe
-
Size
876KB
-
MD5
2bd0394601a1a4006bc56efa2f405d25
-
SHA1
373bff8a86a336976bea0cd8ab86ff897984c872
-
SHA256
9eeaa4a0bcfc641d7f395c5a7d5ac15a8d50b18f8ef1ac3545c55c5679367228
-
SHA512
705419f6e38a45a7858df73764744e891318f1b4d2ff2aff1e134af009f21c433deb6e9a55040f419f750fe4f27d3259a224ad8c994aeb4d6a209b1d7e1c9951
Malware Config
Extracted
redline
ftp
videdoshin.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3576-120-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral2/memory/3576-121-0x000000000041638E-mapping.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2bd0394601a1a4006bc56efa2f405d25.exedescription pid process target process PID 636 set thread context of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2bd0394601a1a4006bc56efa2f405d25.exedescription pid process Token: SeDebugPrivilege 3576 2bd0394601a1a4006bc56efa2f405d25.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2bd0394601a1a4006bc56efa2f405d25.exedescription pid process target process PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe PID 636 wrote to memory of 3576 636 2bd0394601a1a4006bc56efa2f405d25.exe 2bd0394601a1a4006bc56efa2f405d25.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bd0394601a1a4006bc56efa2f405d25.exe"C:\Users\Admin\AppData\Local\Temp\2bd0394601a1a4006bc56efa2f405d25.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2bd0394601a1a4006bc56efa2f405d25.exe"C:\Users\Admin\AppData\Local\Temp\2bd0394601a1a4006bc56efa2f405d25.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-114-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/636-116-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/636-117-0x0000000003280000-0x00000000032A0000-memory.dmpFilesize
128KB
-
memory/636-118-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/636-119-0x00000000032C0000-0x00000000032C1000-memory.dmpFilesize
4KB
-
memory/3576-120-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3576-121-0x000000000041638E-mapping.dmp
-
memory/3576-124-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/3576-125-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3576-126-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3576-127-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3576-128-0x0000000005410000-0x0000000005A16000-memory.dmpFilesize
6.0MB
-
memory/3576-129-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB